Have I Been Pwned Receives 585 M Passwords from the UK Government
The United Kingdom’s National Crime Agency Improved the HIBP Database with Millions of Passwords.
The service that allows users to verify if their login data was made public, named Have I Been Pwned (HIBP), has been recently helped to expand their database of passwords by the UK government. The National Crime Agency (NCA) of the United Kingdom has shared with this service over 585 million passwords.
This method is practiced also by the FBI that contributed passwords over time to Have I Been Pwned. The information obtained from the UK government was added to the Pwned Passwords’ data. With this, users can check if their passwords were leaked online or not.
Pwned Passwords are hundreds of millions of real world passwords previously exposed in data breaches. This exposure makes them unsuitable for ongoing use as they’re at much greater risk of being used to take over other accounts. They’re searchable online below as well as being downloadable for use in other online systems.
The National Cyber Crime Unit (NCCU) of NCA provides the agency with all these credentials that are collected during the analysis of cybersec incidents.
The creator of the HIBP service, by his name Troy Hunt, published yesterday a blog post where he announced that out of all data from the NCA, 225,665,425 passwords were new and unique ones.
The NCA’s corpus represented a significant increase in size. Working in collaboration with the NCA, I imported and parsed out the data set against the existing passwords, I found 225,665,425 completely new instances out of a total set of 585,570,857. As such, this whole set (along with other sources I’d been accumulating since November last year) has all been rolled into a final version of the manually released Pwned Passwords data.
As Mr. Hunt mentioned, the Pwned Passwords service database increased in size with the latest NCA contribution, more specifically growing by 38%.
According to BleepingComputer, the National Crime Agency informed Hunt about the source of the passwords, this coming from a UK business’ cloud storage location. This was used by unknown cybercriminals to store compromised login information. Apparently, according to investigators, the credentials derived from various data breaches and were exposed to third parties which could have resulted in further fraud.